CVE-2021-24558 Information

Description

The pspin_duplicate_post_save_as_new_post function of the Project Status WordPress plugin through 1.6 does not sanitise validate or escape the post GET parameter passed to it before outputting it in an error message when the related post does not exist leading to a reflected XSS issue

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://codevigilant.com/disclosure/2021/wp-plugin-project-status/ https://wpscan.com/vulnerability/ca5f2152-fcfd-492d-a552-f9604011beff

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4